SecurityHeadersMiddleware
in package
implements
MiddlewareInterface
Handles common security headers in a convenient way
Tags
Table of Contents
Interfaces
- MiddlewareInterface
- Participant in processing a server request and response.
Constants
- ALL = 'all'
- ALLOW_FROM = 'allow-from'
- BY_CONTENT_TYPE = 'by-content-type'
- BY_FTP_FILENAME = 'by-ftp-filename'
- DENY = 'deny'
- MASTER_ONLY = 'master-only'
- NO_REFERRER = 'no-referrer'
- NO_REFERRER_WHEN_DOWNGRADE = 'no-referrer-when-downgrade'
- NONE = 'none'
- NOOPEN = 'noopen'
- NOSNIFF = 'nosniff'
- ORIGIN = 'origin'
- ORIGIN_WHEN_CROSS_ORIGIN = 'origin-when-cross-origin'
- SAME_ORIGIN = 'same-origin'
- SAMEORIGIN = 'sameorigin'
- STRICT_ORIGIN = 'strict-origin'
- STRICT_ORIGIN_WHEN_CROSS_ORIGIN = 'strict-origin-when-cross-origin'
- UNSAFE_URL = 'unsafe-url'
- XSS_BLOCK = 'block'
- XSS_DISABLED = '0'
- XSS_ENABLED = '1'
- XSS_ENABLED_BLOCK = '1; mode=block'
Properties
- $headers : array<string, mixed>
- Security related headers to set
Methods
- noOpen() : $this
- X-Download-Options
- noSniff() : $this
- X-Content-Type-Options
- process() : ResponseInterface
- Serve assets if the path matches one.
- setCrossDomainPolicy() : $this
- X-Permitted-Cross-Domain-Policies
- setReferrerPolicy() : $this
- Referrer-Policy
- setXFrameOptions() : $this
- X-Frame-Options
- setXssProtection() : $this
- X-XSS-Protection
- checkValues() : void
- Convenience method to check if a value is in the list of allowed args
Constants
ALL
public
string
ALL
= 'all'
X-Permitted-Cross-Domain-Policy all
ALLOW_FROM
public
string
ALLOW_FROM
= 'allow-from'
X-Frame-Option allow-from
BY_CONTENT_TYPE
public
string
BY_CONTENT_TYPE
= 'by-content-type'
X-Permitted-Cross-Domain-Policy by-content-type
BY_FTP_FILENAME
public
string
BY_FTP_FILENAME
= 'by-ftp-filename'
X-Permitted-Cross-Domain-Policy by-ftp-filename
DENY
public
string
DENY
= 'deny'
X-Frame-Option deny
MASTER_ONLY
public
string
MASTER_ONLY
= 'master-only'
X-Permitted-Cross-Domain-Policy master-only
NO_REFERRER
public
string
NO_REFERRER
= 'no-referrer'
Referrer-Policy no-referrer
NO_REFERRER_WHEN_DOWNGRADE
public
string
NO_REFERRER_WHEN_DOWNGRADE
= 'no-referrer-when-downgrade'
Referrer-Policy no-referrer-when-downgrade
NONE
public
string
NONE
= 'none'
X-Permitted-Cross-Domain-Policy none
NOOPEN
public
string
NOOPEN
= 'noopen'
X-Download-Option noopen
NOSNIFF
public
string
NOSNIFF
= 'nosniff'
X-Content-Type-Option nosniff
ORIGIN
public
string
ORIGIN
= 'origin'
Referrer-Policy origin
ORIGIN_WHEN_CROSS_ORIGIN
public
string
ORIGIN_WHEN_CROSS_ORIGIN
= 'origin-when-cross-origin'
Referrer-Policy origin-when-cross-origin
SAME_ORIGIN
public
string
SAME_ORIGIN
= 'same-origin'
Referrer-Policy same-origin
SAMEORIGIN
public
string
SAMEORIGIN
= 'sameorigin'
X-Frame-Option sameorigin
STRICT_ORIGIN
public
string
STRICT_ORIGIN
= 'strict-origin'
Referrer-Policy strict-origin
STRICT_ORIGIN_WHEN_CROSS_ORIGIN
public
string
STRICT_ORIGIN_WHEN_CROSS_ORIGIN
= 'strict-origin-when-cross-origin'
Referrer-Policy strict-origin-when-cross-origin
UNSAFE_URL
public
string
UNSAFE_URL
= 'unsafe-url'
Referrer-Policy unsafe-url
XSS_BLOCK
public
string
XSS_BLOCK
= 'block'
X-XSS-Protection block, sets enabled with block
XSS_DISABLED
public
string
XSS_DISABLED
= '0'
X-XSS-Protection disabled
XSS_ENABLED
public
string
XSS_ENABLED
= '1'
X-XSS-Protection enabled
XSS_ENABLED_BLOCK
public
string
XSS_ENABLED_BLOCK
= '1; mode=block'
X-XSS-Protection enabled with block
Properties
$headers
Security related headers to set
protected
array<string, mixed>
$headers
= []
Methods
noOpen()
X-Download-Options
public
noOpen() : $this
Sets the header value for it to 'noopen'
Tags
Return values
$thisnoSniff()
X-Content-Type-Options
public
noSniff() : $this
Sets the header value for it to 'nosniff'
Tags
Return values
$thisprocess()
Serve assets if the path matches one.
public
process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
- $request : ServerRequestInterface
-
The request.
- $handler : RequestHandlerInterface
-
The request handler.
Return values
ResponseInterface —A response.
setCrossDomainPolicy()
X-Permitted-Cross-Domain-Policies
public
setCrossDomainPolicy([string $policy = self::ALL ]) : $this
Parameters
- $policy : string = self::ALL
-
Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
Tags
Return values
$thissetReferrerPolicy()
Referrer-Policy
public
setReferrerPolicy([string $policy = self::SAME_ORIGIN ]) : $this
Parameters
- $policy : string = self::SAME_ORIGIN
-
Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
Tags
Return values
$thissetXFrameOptions()
X-Frame-Options
public
setXFrameOptions([string $option = self::SAMEORIGIN ][, string|null $url = null ]) : $this
Parameters
- $option : string = self::SAMEORIGIN
-
Option value. Available Values: 'deny', 'sameorigin', 'allow-from
' - $url : string|null = null
-
URL if mode is
allow-from
Tags
Return values
$thissetXssProtection()
X-XSS-Protection
public
setXssProtection([string $mode = self::XSS_BLOCK ]) : $this
Parameters
- $mode : string = self::XSS_BLOCK
-
Mode value. Available Values: '1', '0', 'block'
Tags
Return values
$thischeckValues()
Convenience method to check if a value is in the list of allowed args
protected
checkValues(string $value, array<string|int, string> $allowed) : void
Parameters
- $value : string
-
Value to check
- $allowed : array<string|int, string>
-
List of allowed values